Today’s VERT Alert addresses Microsoft’s March 2022 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-989 on Wednesday, March 9th.
In-The-Wild & Disclosed CVEs
CVE-2022-21990 describes a code execution vulnerability within Remote Desktop Client. The vulnerability requires that a malicious actor control the Remote Desktop Server to which the client has connected. Upon connecting to the malicious server, code is executed on the client system. While Microsoft has said that exploitation is more likely, the fact that an attacker must control a malicious server and that the user must willingly connect to it will mitigate the risk presented by this vulnerability.
Microsoft has rated this as Exploitation More Likely on the latest software release on the Exploitability Index.
A local privilege escalation vulnerability exists within the Windows Fax and Scan Service that could allow privilege escalation on all supported versions of Windows. In order to exploit this vulnerability, an attacker would need to already have authenticated access to the system. Unfortunately, not a lot of details are available to help us determine exactly where the vulnerability exists.
Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.
This is an interesting vulnerability when you read everything that Microsoft has written about it. The confidentiality, integrity, and availability aspects of the CVSS score are set to low with Microsoft stating that the ability to exploit the vulnerability is limited because it must be used in combination with other vulnerabilities. Additionally, a user must perform an action to trigger the payload. The fact that this requires the user to take action and that other vulnerabilities be used is interesting when paired with the fact that Microsoft listed Privileges Required as None. The multitude of factors needed to create exploit conditions indicates that it is unlikely that we will see exploits surface for this vulnerability.
Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.
CVE Breakdown by Tag
While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis. Vulnerabilities are also colour coded to aid with identifying key issues.
- Traditional Software
- Mobile Software
- Cloud or Cloud Adjacent
- Vulnerabilities that are being exploited or that have been disclosed will be bold.
| Tag | CVE Count | CVEs |
| Windows Fastfat Driver | 1 | CVE-2022-23293 |
| Tablet Windows User Interface | 1 | CVE-2022-24460 |
| Microsoft Office Word | 2 | CVE-2022-24462, CVE-2022-24511 |
| Windows Media | 1 | CVE-2022-21973 |
| Windows Installer | 1 | CVE-2022-23296 |
| Windows Common Log File System Driver | 1 | CVE-2022-23281 |
| Microsoft Defender for IoT | 2 | CVE-2022-23265, CVE-2022-23266 |
| Microsoft Windows ALPC | 3 | CVE-2022-23283, CVE-2022-23287, CVE-2022-24505 |
| Microsoft Windows Codecs Library | 13 | CVE-2022-21977, CVE-2022-22010, CVE-2022-23295, CVE-2022-23300, CVE-2022-23301, CVE-2022-22006, CVE-2022-22007, CVE-2022-24451, CVE-2022-24452, CVE-2022-24453, CVE-2022-24501, CVE-2022-24456, CVE-2022-24457 |
| Visual Studio Code | 1 | CVE-2022-24526 |
| Windows Cloud Files Mini Filter Driver | 1 | CVE-2022-23286 |
| Windows Security Support Provider Interface | 1 | CVE-2022-24454 |
| Windows Ancillary Function Driver for WinSock | 1 | CVE-2022-24507 |
| XBox | 1 | CVE-2022-21967 |
| Windows Event Tracing | 1 | CVE-2022-23294 |
| Windows Kernel | 2 | CVE-2022-23298, CVE-2022-23297 |
| Windows DWM Core Library | 2 | CVE-2022-23291, CVE-2022-23288 |
| Microsoft Exchange Server | 2 | CVE-2022-24463, CVE-2022-23277 |
| Windows Point-to-Point Tunneling Protocol | 1 | CVE-2022-23253 |
| Windows Remote Desktop | 3 | CVE-2022-21990, CVE-2022-24503, CVE-2022-23285 |
| Microsoft Office Visio | 3 | CVE-2022-24509, CVE-2022-24461, CVE-2022-24510 |
| Azure Site Recovery | 11 | CVE-2022-24506, CVE-2022-24515, CVE-2022-24467, CVE-2022-24468, CVE-2022-24469, CVE-2022-24517, CVE-2022-24470, CVE-2022-24518, CVE-2022-24519, CVE-2022-24471, CVE-2022-24520 |
| Windows CD-ROM Driver | 1 | CVE-2022-24455 |
| Paint 3D | 1 | CVE-2022-23282 |
| .NET and Visual Studio | 3 | CVE-2022-24512, CVE-2022-24464, CVE-2020-8927 |
| Windows Update Stack | 1 | CVE-2022-24525 |
| Windows Print Spooler Components | 1 | CVE-2022-23284 |
| Role: Windows Hyper-V | 1 | CVE-2022-21975 |
| Windows PDEV | 1 | CVE-2022-23299 |
| Windows HTML Platform | 1 | CVE-2022-24502 |
| Microsoft Defender for Endpoint | 1 | CVE-2022-23278 |
| Microsoft Edge (Chromium-based) | 21 | CVE-2022-0789, CVE-2022-0790, CVE-2022-0791, CVE-2022-0792, CVE-2022-0793, CVE-2022-0794, CVE-2022-0795, CVE-2022-0796, CVE-2022-0797, CVE-2022-0798, CVE-2022-0799, CVE-2022-0800, CVE-2022-0801, CVE-2022-0802, CVE-2022-0803, CVE-2022-0804, CVE-2022-0805, CVE-2022-0806, CVE-2022-0807, CVE-2022-0808, CVE-2022-0809 |
| Windows COM | 1 | CVE-2022-23290 |
| Windows SMB Server | 1 | CVE-2022-24508 |
| Windows Fax and Scan Service | 1 | CVE-2022-24459 |
| Microsoft Intune | 1 | CVE-2022-24465 |
| Skype Extension for Chrome | 1 | CVE-2022-24522 |
Other Information
There were no new advisories included with the March Security Guidance.
